Data Center Security: Not Just About Cyber
Data centers are especially vulnerable potential points of failure when it comes to cyber crimes like data theft
We need to talk about the importance of physical security at data centers. The triumvirate of “bulletproof” security — “something you know, something you have and something you are” — isn’t complete without it. Data is probably the most valuable commodity on earth right now, which means data centers are especially vulnerable potential points of failure when it comes to cyber crimes like data theft. So the question is: How can data centers keep themselves, and the data they contain, secure — even after they’ve covered the digital aspects of security? Here are some of the most important tenets of physical data center security.
It’s easy to overlook video surveillance for data centers. Even when management has had such a system installed on the premises, it doesn’t mean the cameras are strategically placed, or the software is totally up to date, or even that the footage being captured is stored securely, automatically and in perpetuity. Areas worth special consideration — and full-time surveillance — include wiring closets, server rooms, computer rooms and each entrance to the facility. In short, video surveillance isn’t something you “set and forget.” If it’s been some time since your system got an upgrade or an audit, it’s probably time to take another look. Even when video records don’t stop would-be thieves or vandals in the act, they may very well help catch the culprits before they strike again.
Access Management and Location Awareness for Staff
How many access points does your data center have, apart from the outermost entrance? There are probably several “employee portals” you have a vested interest in protecting. But what’s the best way to control physical access to these critical junctions? It may be time to take another look at physical access management systems for your data center:
- Keypads (“something you know”) are a great outermost layer of defense, but they’re not the final word on physical access management. All it takes is a misplaced Post-It note for somebody to find their way into a location they’re not meant to have access to.
- Your data center staff should carry RFID access card keys (“something you have”) that correspond to their level of access. This ensures that they can’t cross into areas they don’t have permission to access, and it also ensures they leave behind a trail of “bread crumbs” as they move about the facility.
- Biometrics (“something you are”) goes a step further by requiring authorized personnel to prove they are who they claim to be, no matter whose keycard they might be carrying.
There are other security access measures you should consider, too. You’re probably familiar with “tailgating,” which is a well-intentioned yet dangerous practice where employees hold the door for the next person entering behind them. Your security training should address and discourage this practice, but you can also drive the point home with anti-tailgating devices like interlocking vestibule doors, people counters, infrared beams, and others.
Take a walk outside for a minute and ask yourself: How close could a stranger get to your data center before somebody, or something, got in their way? It’s vital to remember that no matter how sophisticated their digital tools become, it’s easiest for thieves and vandals to compromise a lone computer or a data center if they have physical access to it. Whether it’s a trojan or virus loaded onto a USB drive or a keylogger device, there’s a lot of harm that can be done if your perimeter isn’t kept secure. What kind of gate do you have encircling your data center? If this wasn’t a priority when the building first went up, it’s probably time to consider an aluminum or steel gate for vehicles and pedestrians. You can choose from different styles such as slide gates, cantilever gates, and vertical lift gates, and each has its own advantages and drawbacks. It’s probably best to confer with a security gate expert to see what works best for your facility and the surrounding landscape.
Condition Monitoring for Sensitive Areas
Not all of the physical threats to your data center come from malign human actors. Sometimes, all it takes is a brief lapse in temperature or humidity control to spell disaster for your sensitive computer and server equipment. In other cases, it’s facilities with slapdash or out-of-inspection fire control devices that are most vulnerable. For those wondering about optimal levels for temperature and humidity in data centers, the American Society of Heating, Refrigeration and Air Conditioning Engineers (ASHRAE) provides these guidelines:
- Temperature limits: 64.4°F to 80.6°F
- Humidity limits: 40% to 60% (41.9°F to 59°F dew point)
With environmental controls accounted for, what does it take to protect your data center from the risk of fire? Like the other threats listed here, proactivity is key. Your facility should have smoke and fire detectors placed at regular intervals. Ideally, these devices should be sophisticated enough to eliminate false positives. Place fire alarms strategically so personnel in any part of the building will hear them. Additionally, pay close attention to how (and whether) your fire detection equipment provider will alert the local fire department about a fire on your premises. Some systems provide automatic detection and notification while others provide options for manual acknowledgment at fire alarm panels.
Don’t Forget the Audits
The last few years have been so damaging to our collective trust in digital services and infrastructure that, one hopes, things can only improve from here. In 2017, 15.4 million people had their data compromised by hackers, at an average cost of $1,000 per person. We’re all learning to take cybersecurity more seriously at the personal level, but that’s not especially helpful if our data centers themselves aren’t physically secure. But security-minded data center management doesn’t stop with the installation of access control and surveillance devices. Remember that none of these security techniques is particularly useful if it’s not working as intended. Your security team needs to conduct regular audits of your security infrastructure to verify, for example, that surveillance systems are retaining footage, cameras haven’t been knocked out of place, infrared beams aren’t blocked, security doors haven’t been tampered with, and other points of interest are in good condition. With each of these best practices accounted for, you’ll be in a much better position to prevent and respond to all manner of physical threats, be they natural or manmade.